Mobile stations, such as mobile phones, have become very popular during the recent years and are spreading rapidly to become an item everyone owns. The availability of mobile stations and their widespread distribution together with the realization that mobile stations are in fact sophisticated communication devices has led to the introduction of m-commerce (mobile commerce)—mobile stations as means for conducting payments for goods or services.
When using the mobile station for conducting payments, it is very important that e.g. a bank receiving information from a mobile station containing payment instructions, not only can trust that the received request originates from the owner of the account but actually prove to a third party that the owner must have generated the received payment instruction. A method of checking the above could be by storing the owners phone number together with the account number and then when receiving a request, checking whether the number of the phone transmitting the request corresponds to the stored phone number.
A problem with the above is that unauthorised access to an account is possible by using e.g. a stolen mobile phone, because in the above example the bank trusts that the person using a mobile phone is the rightful owner of the mobile phone. Or even worse, the information used for identification could be stolen for masquerading purposes, e.g. to fraudulently pretending to have the identity of someone else, or to retrieve more information, e.g. sensitive information, by listening to communications between the mobile phone and the bank.
To prevent unauthorised access to information in general, and to accounts in particular, it is well known to use encryption of information. The purpose for encryption is to convert human readable information into something unreadable (and decryption is by definition the reverse). The reason to use encryption is in general to convert e.g. private and/or sensitive information into a form that only a person/a device who knows how to decrypt it can read it. There are two basic forms of encryption are symmetric and asymmetric cryptography. In symmetric encryption, the same special “key” is used to encrypt and decrypt the data. In asymmetric encryption the sender and the receiver each possess a key pair containing a public key and a private key.
Even if symmetric encryption was used to secure a communication between a mobile station and the bank, the system would not offer non-repudiation, i.e. it would not be possible for the bank to prove that a certain person had initiated the payment.
The technology available today enables the owner of a mobile terminal to initiate a public key generation on the mobile terminal. But the challenge, which is addressed by the present invention, is subsequently to communicate the public key of the device to a key managing computer, representing e.g. as banks, in a secure manner.
The obvious alternative is to introduce a so-called Public Key Infrastructure (PKI), where the public keys of the users are made available in a central database used a so-called certificate. But this entails a number of practical problems, which can be quite tedious and expensive.
When a PKI is established, one of the most tedious steps of the whole process is the identification and registration of the public keys of the users.
In the X.509 or the EMV approach this is typically achieved in one of the following ways:                1) The public keys pairs are generated centrally, the private key is stored on a device such as a chip card protected by a PIN-code, the user is being identified and a certificate is generated which ties the ID of the user to the public key. The device is then communicated through one channel to the user and the PIN-code through another, e.g. via PIN-mail.        2) Independently of how the keys have been generated, the user, after having been physically identified goes through a process of registering his public key. One method which is widely adapted is to print a hash imprint of the public key, sign this with an old-fashioned, hand-written signature, forward it to the bank by personal delivery or by sending it by the traditional postal services and then transmitting the public key electronically as well for the purpose of e-commerce between parties.        
To avoid building such an extensive infrastructure, it is therefore an object of the present invention to provide a method for the bank to register the public key of a mobile device in a secure manner without the involvement of paper based routines, and subsequently receiving a request from a mobile station to check whether the mobile station is being operated according to the intention of the owner and thereby can be trusted.
The object can also be defined in more general terms.
It is desirable to find a method for a first party to receive information from a second party using a mobile station, such as a mobile phone, where the first party can thrust that the second party really is the party identified by the mobile communication device.